A howto to guide a user thru setting up a vpn client, utilizing vpnc. Reproducible: Always Steps to Reproduce: 1. 2. 3.
Created attachment 62501 [details] the starting point This attachment is the work I've done so far
Created attachment 62511 [details] version 0.1
Created attachment 62569 [details] version 0.2
Created attachment 62813 [details] version 0.3 progress, slow but steady.
Created attachment 63106 [details] version 0.4 ... keep on keepin on ....
Created attachment 63841 [details] version 0.5 Added the skeleton for a tips and tricks section, as well as a correction or two.
Comment on attachment 63841 [details] version 0.5 Selectin text/plain makes it easier for us to read given attachment directly from browser.
Created attachment 64761 [details] version 0.6 This is close to being content complete. Any feedback would be appreciated. To-Do List ------------------------ Finish Tips / Usefull Links / and Final Notes section ( or remove ) Read formatting guidlines. Spell Check. Test the setup on another PC.
Created attachment 64838 [details] version 0.7 This document is what I would consider "content complete". I will be testing the document on another workstation to verify the steps are in a good order and that they make sense. I will use this testing to update the documentation to account for a couple things: 1. Newer versions of software utilized in this doc. 2. Logical structure. Do my steps make sense? 3. Is there anything else I could have mentioned to make the doc more complete? Other to-do items ------------------------ Read formatting guidlines. Spell Check. Feedback, would be very usefull at this point!
You should add your email address at insertemailaddresshere, or drop the <mail></mail> and just use your name if you don't want your e-mail listed (we would appreciate if you put it in as a comment though in case we want to contact you). The guide should be licensed under the CC-BY-SA license (2.5 currently, but you should allow future versions as well). Without this Gentoo can't publish the guide. You can put this license information in it below the <abstract> using: <!-- The content of this document is licensed under the CC-BY-SA license --> <!-- See http://creativecommons.org/licenses/by-sa/2.5 --> <license/> There are some coding style issues but we can take care of that (unless you're planning on more contributions in which case it might be interesting for you to know what the coding style issues are). The guide does seem to be complete and well explained.
Created attachment 64911 [details] version 0.8 1. Fixed the mail link ( removed it ), and added my email in the comments 2. Added license info * I would be interested in learning about the coding style issues. I am planning on further contributions. - any additional comments and suggestions would be welcomed.
I'll take a look, fix the coding style and inform you what I did; will post the fixed version soonish
Created attachment 65170 [details] Gentoo vpnc HOWTO, version 0.9 Lots of fixes, including: - Proper capitalisation of abbreviations, protocols, trademark names - Coding Style (see http://www.gentoo.org/doc/en/xml-guide.xml), including 2 spaces instead of tabs, proper indentation, using <path> where needed, ... - Consistent language form (I opted to use "you" always, it had "we" and "you" mixed) - Don't use trailing characters in titles, like "." or ":" - Remove reference of versions that outdate the document sooner than it is reviewed - Spelling mistakes, like its (it's), accross (across), ... I have also Gentoo-ified the script you had using the functions.sh features (like ebegin/eend, einfo, ...) because it makes the script better-looking :)
> - Proper capitalisation of abbreviations, protocols, trademark names - thanks, nobody enjoys doing this stuff .. > - Coding Style (see http://www.gentoo.org/doc/en/xml-guide.xml), including 2 > spaces instead of tabs, proper indentation, using <path> where needed, ... - good to know > - Consistent language form (I opted to use "you" always, it had "we" and "you" > mixed) - I've only tested this setup once, so .... this step was pending .. thanks > - Don't use trailing characters in titles, like "." or ":" > - Remove reference of versions that outdate the document sooner than it is > reviewed - i'm not sure I understand the point of this, but then again, you're the expert > - Spelling mistakes, like its (it's), accross (across), ... - always nice > > I have also Gentoo-ified the script you had using the functions.sh features > (like ebegin/eend, einfo, ...) because it makes the script better-looking :) - yeah, this is cooler. thank you.
Well, if you add note's about "this document uses blabla version" you will often get bugreports about "version blabla is not in portage" while the guide is still valid (vpnc's behavior wont change much with each version increase). Better is to have the guide not mention any version so that people who read it don't mistakenly treat it as an outdated guide. Anyway, if anyone could take a final look at the guide, perhaps even test it (I don't have a VPN anymore)? The guide looks correct from what I can tell from prior experience.
(In reply to comment #15) > Well, if you add note's about "this document uses blabla version" you will often > get bugreports about "version blabla is not in portage" while the guide is still > valid (vpnc's behavior wont change much with each version increase). > i see your point. > Better is to have the guide not mention any version so that people who read it > don't mistakenly treat it as an outdated guide. > didn't think about that, seems reasonable.
Created attachment 65339 [details] version 0.10 Notes -------------- fully tested on alternate workstation. Changes ---------------- grammer fix in introduction added note about rdesktop vs grdesktop in TIPS section Question ------------------- should we add a note about modules.autoload for the tun modules ? an example such as : echo tun >> /etc/modules.autoload.d/kernel-2.6 this would obviously be a valid tip for 2.6 users ... but what about 2.4? I haven't used 2.4 in ages, so I'm not sure if this would just add confusion ...
If you think it's needed, sure, please add it. BTW, I'm dropping things in http://www.gentoo.org/doc/en/draft/vpnc-howto.xml until it's ripe for final submission :)
(In reply to comment #18) > If you think it's needed, sure, please add it. > > BTW, I'm dropping things in http://www.gentoo.org/doc/en/draft/vpnc-howto.xml > until it's ripe for final submission :) cool ... should I be able to view this ? ... that link doesn't work for me ...
(In reply to comment #19) > cool ... should I be able to view this ? ... that link doesn't work for me ... Yeah you can see it and it does work now. CVS -> Webnodes takes a while...
Any updates pending? Or can we migrate the draft one to the official location?
(In reply to comment #21) > Any updates pending? Or can we migrate the draft one to the official location? nope
"No" on pending changes, or "No" on migrating the document to the official repository? :)
no on pending changes
Created attachment 77310 [details] version 0.11 This guide has been updated for the new version of vpnc (0.3.3-r1). This guide is commit ready ... I think ... No changes pending ...
Created attachment 78833 [details] version 0.12 - author email link added - added more "<c></c>" tags - changed emerge commands to include -av options - misc fixes
hanno, you're the maintainer of net-misc/vpnc, could you please comment?
0.12 changes have been put in http://www.gentoo.org/doc/en/draft/vpnc-howto.xml.
A detail should be added. vpnc 0.4.0-r1 now contains an init script which allows multiple instances of VPNs to be started. The init files work similar to net (vpnc.test uses /etc/vpnc/test.conf and so on).
I have got a few comments regarding the Howto: I do not understand the purposes of the sections 6. Setup DNS and 7. Configuring the routing table. I never had to touch anything to get that working (on an up to date system). According to the man page the vpnc-script takes care of the routes and it updates /etc/resolve.conf too. The tunnel device now is called vpnlink in the ifconfig -a output. (Kernel: gentoo-sources-2.6.19-r5, udev-104-r11 and vpnc-0.4.0)
Hi, That's a very nice howto, however, some suggestions : - warn that cisco's group password protocol is broken by design (MITM): http://www.cisco.com/warp/public/707/cisco-sn-20040415-grppass.shtml - link to a decrypting program instead of letting users giving away their passwords on a non trusted/non https website : http://www.unix-ag.uni-kl.de/~massar/soft/cisco-decrypt.c (compiles with: gcc -Wall -o cisco-decrypt cisco-decrypt.c $(libgcrypt-config --libs --cflags) ) maybe this tool should be integrated into net-misc/vpnc ebuild ? or a separate one, i can write one if needed. The worst thing is that to mount a successful MiTM attack you just need the decrypted group key :( So the one who is setting up it's vpn over a wireless link is owned :) The attacker gains knowledge of the password and all the data in the tunnel. @Sebastian: - The dns stuff makes sense if you have a partial tunnel (i.e.) to your job network, but you don't want to leak inforamtion on what pages you visit with dns queries ... - the routes make sense too, if the router is set up to get all the traffic trough the vnp instead of a few (say company net) routes only. In this case adding a few routes to direct "world but company" traffic to avoid vpn... all this is just optional and depends on the config of the cisco routers, whether they are going to ask to route all the traffic to the vpn or just some subnets... and also mostly on your trust/mistrust/paranoia wrt the routers admins/company.
(In reply to comment #31) > maybe this tool should be integrated into net-misc/vpnc ebuild ? or a separate > one, i can write one if needed. cisco-decrypt.c is integrated into the current vpnc, the executable is build, but not installed by the Makefile. This will be reported upstream and maybe we should install it by hand in the ebuild. Should it be /usr/sbin/ or /usr/bin/?
(In reply to comment #32) > > cisco-decrypt.c is integrated into the current vpnc, the executable is build, > but not installed by the Makefile. This will be reported upstream and maybe we > should install it by hand in the ebuild. good, i didn't noticed it ... > Should it be /usr/sbin/ or /usr/bin/? i would say /usr/bin, if it does not "needs" to be used as root so it should not ...
Created attachment 111455 [details, diff] vpnc How-To 0.13 Reworked it a bit to fit the current status: - remove some parts about kernel configuration - correct some typos - removed link to decryption home page and added program (reworked note) - introduced converter for pcf profiles - wrote section about init scripts
Created attachment 120062 [details] version 0.14 changes since 0.13: - readded some parts about kernel configuration - some minor improvements (thanks to nightmorph for the hints)
Latest version will appear shortly at http://www.gentoo.org/doc/en/vpnc-howto.xml If you think this guide is ready to be listed in our index and lose its draft status, just say so :)
(In reply to comment #36) > If you think this guide is ready to be listed in our index and lose its draft > status, just say so :) nightmorph...do your work. You will close this bug?
Time to make this thing officially 1.0 and add it to our docs (opfer's request), so I'll give it a last cleanup and do so.
Fixed (at last) in CVS, yay for finishing old bugs. Thanks for the contributions.
